FIG. 1 shows a prior art system 100 in which a user 3 stores secrets 5 on a remote server computer 10, where the term secrets is used broadly to mean any data or information that the owner wishes to keep private. The user 3 accesses the secrets 5 using a client computer 15 that is connected to the server computer 10 via a data or telecommunications network 20, such as the Internet. Storage of the secrets 5 on the server 10 allows the user 3 to access the secrets 5 from any client computer connected to the network 20.
To help prevent the secrets 5 from being obtained by others, the secrets 5 are typically encrypted. Encrypting the secrets 5, for example, by use of a key 24, prevents someone who has access to the secrets 5 from learning the secrets 5, for example, by compromise of the server or by observing the user's communications with the server 10 over the network 20. The encryption of the secrets 5 can be performed according to various known techniques including symmetric encryption in which the same decryption key 24 is used for both encryption and decryption, and/or asymmetric encryption, in which different keys are used for encryption and decryption respectively.
As the number of possible values from which a key 24 might be chosen (the “key space”) is increased by changing the encryption implementation, it becomes increasingly more difficult for an attacker to try every possible decryption key 24. At some point, the number of possible of keys is so great that an encrypted secret 5 cannot feasibly be decrypted by trying each possible key 24. This is referred to as a strong encryption, because the large key space makes the encryption stronger. For example, a key that is chosen from the set of all known English words is much weaker than a key that is chosen from the set of all 1024-bit numbers. An encryption and/or decryption key 24 that is selected from a large key space is typically cumbersome for a user 3 to employ, however, because long sequences of characters are difficult for humans to remember. Users 3 may be inclined to write down such sequences, thereby making the key available to an attacker. To ease the memory burden on users 3, shorter decryption keys 24 are frequently used, with the disadvantage that it may be feasible for a party that has access to the encrypted secrets 5 to decrypt the encrypted secrets 5 by trying every possible key.